Strategic Partnering Taskforce

Risk Management
Technical Notes
Produced in conjunction with RSM Robson Rhodes

February 2004 Office of the Deputy Prime Minister

Office of the Deputy Prime Minister Eland House Bressenden Place London SW1E 5DU Telephone 020 7944 4400 Internet service www.odpm.gov.uk Crown copyright 2004. Copyright in the typographical arrangement and design rests with the Crown. This publication (excluding the Royal Arms and logos) may be reproduced free of charge in any format or medium provided that it is reproduced accurately and not used in a misleading context. The material must be acknowledged as Crown copyright with the title and source of the publication specified. Further copies of this report are available from: Kevin Davies ODPM 3/A6 Eland House Bressenden Place London SW1E 5DU Tel: 020 7944 5190 Fax: 020 7944 4099 E-mail: kevin.davies@odpm.gsi.gov.uk Published by the Office of the Deputy Prime Minister. Printed in the UK, February 2004 on material containing 100% post-consumer waste. Product code: 04LRGG 01971

Strategic Partnering Taskforce Structures Technical Notes

Contents
PREFACE CHAPTER 1 1 2 Risk Management Who is Responsible? When to Consider Risk? 4 9 9 13 16 16 27 27 30 32 35 41 46 48 49 51

CHAPTER 3 3 The Risk Management Process

CHAPTER 4 4 5 The Types of Risk Risk Management

Appendix A: Gateway Process Appendix B: Strategic Risks Appendix C: Generic Project Risks Appendix D: Corporate and E-government Risks Appendix E: Education, Health and Social Services Risks Appendix F: Transport and Environment Risks Appendix G: Reference Documents

PREFACE
INTRODUCTION
The former Department of Transport, Local Government and the Regions (DTLR) established the Strategic Partnering Taskforce (SPT) in September 2001 to support local authorities that wished to implement strategic service delivery partnerships. The SPT, which is now sponsored by the Office of the Deputy Prime Minister (ODPM), has a responsibility to carry out an active research programme and disseminate information in respect of partnering and improved service delivery. The work of the SPT represents part of the national strategy to provide firm foundations for better procurement. The SPTs responsibilities for that national strategy are set out in Towards a National Strategy for Local Government, the Joint Response of ODPM and the Local Government Association (LGA) on the review of local government procurement which was chaired by Sir Ian Byatt. In the foreword of the response John Prescott, Deputy Prime Minister, and Sir Jeremy Beecham, LGA, state that the work of the Strategic Partnering Taskforce, the conclusions of the Best Value Review and the capacity building proposals in the White Paper, Strong Local Leadership Quality Public Services, provide a sound foundation for a national strategy to improve local government procurement. The SPT is issuing a series of publications entitled Rethinking Service Delivery in response to that responsibility. The purpose of these publications is to offer practical solutions to local authority members and officers on how to go about achieving real improvement in services. These publications refer to, and make recommendations about, risk and risk management throughout the process of developing a strategic service delivery partnership (SSP), albeit briefly. These technical notes expand on what has already been said in these publications. Its purpose is to help guide and structure local authorities approaches to risk and risk management at a strategic and project level by allowing them to refer to one document that addresses the main issues of risk effecting major partnering contracts. The technical notes are designed to:

Guide local authorities when deciding on who to involve in the risk management process and at what stages in the project/partnership to consider risk;

Assist members and chief officers needing to consider the main strategic and corporate risks of a partnering project;

Assist local authority officers, risk and project managers to consider and manage possible project risks. It outlines a framework for: Identifying risks; Assessing risks; Controlling the risks; and Monitoring the risks.

o o o

ACKNOWLEDGEMENT
These notes have been produced under the guidance of the SPTs legal and technical team. Kate Fitzsimons from RSM Robson Rhodes has been the principal author of this publication. Her contribution is greatfully acknowledged. We also thank the local authorities, government departments, Audit Commission and other organisations that have made helpful comments on the draft versions of the guidance.

EXECUTIVE SUMMARY
INTRODUCTION
Strategic Service delivery Partnerships (SSPs) are considered to be one of the few ways of achieving step-change in service performance. Partnership deals do, however, carry risks and in order to achieve the desired step change the risks need to be initially identified and then mitigated and managed successfully. At their highest level, risks that impact on partnership success can be grouped into four categories:

Failing to ensure an effective strategic fit; Failing to identify and address the gaps and shortfalls in relationships; Failing to fully assess and plan for the organisational impact the changes will have; and Failing to robustly develop and test the economic case for the partnership.

To control these, particular care needs to be taken in defining the business case, going through the procurement process, specifically the preparation of contracts, and in establishing longterm relationship and contract management procedures. As a general rule, managing risks in a proactive way will help the partnership deliver its objectives. It is important to recognise, however, that risk is not entirely bad. Every major work effort does involve risk, however, with risk comes knowledge and opportunity the opportunity for planning to overcome potential threats to project success. The opportunity develops with the project teams knowledge and understanding of the risk factors and the preparation of a risk management plan to mitigate the risk. There are many definitions of risk and risk management but in their simplest form they can be defined as: Risk is a measure of the inability to achieve overall programme objectives within defined cost, schedule, and technical constraints and has two components: The probability of failing to achieve a particular outcome; and The consequences of failing to achieve that outcome.

Risk Management is the act or practice of controlling risk. It includes identifying risks, assessing risk areas, developing risk-handling options, monitoring risks to determine how risks have changed, and documenting the overall risk management programme.

THE CRITICAL SUCCESS FACTORS

For risk to be handled effectively within a partnership there are four key elements that need to be in place:

A senior management team that includes members of staff from all organisations within the partnership, who support, own and lead on risk management; A risk management framework approved and agreed at the senior level, within which risks will be identified and managed on an on-going basis; An organisational and partnership culture, which supports well thought through risk taking and innovation; and Risk management thinking fully embedded in management processes and consistently applied throughout all project and partnership activities.

FORMAT OF THIS GUIDANCE

These technical notes highlight risks to be considered at the outset of a project life, i.e. from the initial idea for a partnership project, through to project completion and post contract award. Whilst the terminology used, assumes procurement is taking place, the principles in this guidance apply to all partnership forms. It relates to risk management from the perspective of a public sector organisation embarking on a partnering arrangement. Where relevant it defines the subtle differences that need to be considered or focused on depending on the structure and approach to partnering (i.e. publicprivate partnership, public-public partnership or an incremental approach to partnering procurement). For members, chief officers, risk and project managers it sets out issues they need to know about and consider. It does not seek to outline all risks that a SSP project may face or indeed a definitive way to manage or mitigate a risk. It puts forward an approach for the identification, assessment and management of risks to help authorities with their risk analysis while also suggesting common risks that may be encountered.

This guidance draws on the experiences of the SPTs pathfinders and best practice approaches used elsewhere both within the public sector and across other sectors and industries. Its aim is to summarise the key messages that are critical for an authority and its officers to consider when embarking on a SSP. The notes are not designed to be the sole source of advice on risks but capture the main points for consideration. Where appropriate reference is made to other guidance that will help inform an authority and the key stakeholders on risk.

CHAPTER 1

1
1.1

Risk Management Who is Responsible?

Reviewing risk is not just an activity within a project to be looked at and ticked off. Risk management should be an approach to the whole way of operating. Everyone contributes to risk management, the whole project team, and all the stakeholders involved with a project. However, although risk management should be embedded in the culture of an organisation, it is good practice for the responsibility of risk management to be given to a nominated Risk Manager. This person has overall responsibility, accountability and authority for ensuring that the risk management process is deployed and operated effectively. Integrated risk management is central to corporate governance and is considered a fundamental of effective project management. In line with this, the Risk Manager may also be the Project Manager for the SSP. However, as said before everyone contributes to risk management and all project stakeholders should participate in the risk identification and analysis process with the extended project team carrying out risk management and mitigation activities.

1.2

1.3

THE ROLE OF A RISK MANAGER

1.4 The Risk Manager is the individual who orchestrates the whole risk management process. The responsibilities of the Risk Manager should be:

1.5

To ensure that risk management is considered an integral part of project management and that risk management activity is integrated within normal partnership tasks;

To develop the risk management plan; To facilitate the identification of risks; To process risk data to enable the risk register to be populated and updated;


1.6

To prepare risk reports for scheduled and on-going review meetings; and To keep a record of lessons learnt.

Summarised below are tips for the Risk or Project Manager on how to lay the groundwork for successful risk management:

Demonstrating clear ownership of the risks; Plan, plan, plan there is no substitute for planning before commencing the project; Involve all stakeholders in risk identification; Conduct risk discussions as a normal part of project/partnership meetings; Keep the risk management process short and simple but an on going not a one off task.

INVOLVING OTHER STAKEHOLDERS

1.7 To facilitate involvement from everyone, it is recommended that at the outset of a partnership project a Risk Management Group be established. This may include senior officers, departmental representation, partner representations (as early as possible), and specialist advice from, for example, internal audit, health and safety, information technology, personnel. Figure 1: Stakeholders of a Risk Management Group:

Members and Senior Officers

Representatives from other organisations of the SSP

Risk Management Group

Specialist Groups: Departmental representatives; Internal Audit; Health and Safety; Information Technology; Personnel.

Project Manager and Risk Manager

10

1.8

The Risk Management Group needs to fit into a wider risk management structure and the roles and responsibilities of the group need to be clear and defined. At one end of the scale the group will assign risks to an appropriate risk owner who is the identified and agreed person most appropriate to control an individual risk and is responsible for monitoring and managing the risk. At the upper end of the scale it will feed into a senior management and governance group.

1.9

The appropriate risk management structure and number of people to be involved will depend on the size of the organisation and staff availability. A suggested risk management structure for a large organisation undertaking a major partnering contract is shown below: Figure 2: Risk Management Structure
Senior Officers Group Members Group

Recommendations Governance Group (Independent review and assessment of risk management plan/risk register) Validated/Prioritised Risks

Risk Management Group

Individual Risk Owners (Evaluate risks and progress action plans)

1.10

The following questions can be asked and used as a checklist to ensure the risk management structure has been established effectively:

Is there partnership wide involvement in the structure? Does everyone in the structure understand the importance of risk management? Does everyone in the partnership have a clear view of the risk process?

11

Have clear individual responsibilities been set?

THE ROLE OF RISK OWNERS

1.11 Risk owners are nominated individuals identified as the most appropriate person to manage a specific risk. They are responsible for:

Assessing the probability and impact and formulating plans for risks they own; Implementing the plans to manage risks for which they are responsible on time; Updating the Risk and Project Manager on a regular basis regarding progress; Reporting on the progress of risks for which they are responsible to the Risk Management Group during risk reviews.

JOINT WORKING
1.12 Joint working and partnerships often involve more complex types of risk, which can, if not correctly managed, adversely affect the delivery of services to the end users. More specifically, it is considered that risk is increased disproportionately in multiorganisation projects, be it with the public, voluntary or private sector, and as such this will need to reflected in the partnership risk management plan and in judging how many risk managers are needed. It is important to be aware of the risk management processes across all partners at the outset. Sharing data and information in this instance will help to ensure that all risks are joined up and risks can be identified and managed in a proactive and in the most efficient and effective way.

1.13

1.14

12

CHAPTER 2

2
2.1

When to Consider Risk?

Risk becomes a major factor to be considered at a number of stages in a partnership project. In particular it needs to be considered:

In the project management; In the procurement process including the evaluation of partnership proposals strategic and economic assessment; In the transition of the organisation; and On into the partnership post contract award.

2.2

Risk identification will start at the partnership vision stage and will be carried out regularly throughout the lifecycle of the partnership procurement and on into the partnership arrangement. Risk, however, is not a one-time task to perform at stages of the project or partnership evolvement. The aim should be to embed risk management into the culture of the Council and its partnership arrangements. Best practice shows that real benefits can be gained by undertaking the long term management of risks as a co-operative process between all parties in the partnership. In particular, a common risk management process as the partnership relationship develops will facilitate the use of common risk information and minimise duplication of effort and resources. Risk management objectives that should be agreed both internally within the local authority prior to procurement of, or working with a partner and externally, post procurement with the partners themselves. The objectives should include:

2.3

2.4

2.5

To use best practice to manage risks; To create an environment that allows the partnership to anticipate and respond to change;

To prevent damage and loss, and reduce the cost of risk to all parties in the partnership; and

13


2.6

To raise awareness in managing risks throughout the Council and its partners.

Additionally, it is suggested that a risk management strategy is agreed, and documented, and that the document that is regularly reviewed and updated by the partnership. The importance of adopting a risk management approach from the outset of defining the strategic partnering vision is that it:

2.7

Improves the likelihood of success for turning vision into reality as it encourages forward thinking and thus minimises unwelcome surprises; Increases visibility - Involving all stakeholders raises risk awareness and enhances accountability; Enhances communication which in turn improves the basis for strategy setting, performance management and decision making; Adds realism from the outset, which gives a better basis for the allocation of resources and timetabling of the project.

14

15

CHAPTER 3

4
4.1

The Risk Management Process

This section outlines a recommended risk management process drawn from best practice. Officers, Risk and Project Managers should use it as a guide for the steps they need to consider.

AN OVERVIEW
4.2 Risk management involves identifying, analysing, and responding to risk factors that impact on a project or its objectives. In particular, the system must quantify the risk and predict the impact to the project. The two main objectives of risk management are to:

4.3

Focus attention on minimising threats in order to achieve the project objectives by performing a high-level assessment of risks with all project stakeholders, and Provide a systematic approach for detail risk analysis and appraisal by: Identifying and assessing risks. Determining effective risk reduction actions. Monitoring and reporting progress in reducing risk.

4.4

Risk management should involve five basic steps shown below: Figure 3: Five Steps of Risk Management:
1. IDENTIFY THE RISKS

5. DOCUMENT LESSONS LEARNT

2. ASSESS THE RISK

4. MONITOR THE RISK

3. PLAN THE RISK RESPONSE

16

4.5

The remainder of this section recommends a framework for addressing each of the five steps and can be used as guidance by Risk and Project Managers to structure an approach or as a checklist against their own approach.

STEP 1 IDENTIFY THE RISKS

4.6 Before being able to plan to mange a risk you need to identify and understand what the risks are. The identification stage is the activity to find, list and characterise elements of risk. Identifying risks is an ongoing task, and should not be completed only at the beginning of the project, but should be done throughout the project/partnership life. As a partnership arrangement progresses, stakeholders will become aware of new risks that will need to be managed. Use the Risk Management Group referred to in Figure 1 as a forum to identify risks on an evolving and continual basis. 4.9 Identification of risks cannot be undertaken unless a project or partnerships objectives, strategies and plans are clearly understood, documented and communicated to all relevant stakeholders. Therefore all stakeholders of the Risk Management Group should have this understanding. In order to help clarify this understanding the group will need to review business cases and planning documents that specify the partnership project. As a minimum this is likely to include reviewing:

4.7 4.8

4.10

The vision and business case for the partnership; The specific deliverable and work processes that may be affected by the organisational change;

4.11

Any milestones and scheduled dates; The resources impact from a value and sources perspective; and Performance requirements of all partners.

Once an appropriate group has been formed and objectives, plans and strategies are understood, the group will be in a position to identify risks.

17

4.12

When identifying risks there is sometimes a danger of focusing solely on risks that are internal as opposed to threats and opportunities from external sources. It is useful to check that the risks identified relate to internal and external factors. There are a number of techniques that can be used, where possible, to involve stakeholders and generate ideas in risk identification. These are summarised below:

4.13

Brainstorming Use a facilitator. Involve a good range of stakeholders. Ensure that the forum allows open and honest discussions. Interviewing Can be one-to-one with project team members and/or key stakeholders to talk about risks they believe may impact on the project; Learning from experience Compare with similar projects where possible.

4.14

In order to aid risk identification you can also use a generic prompt list to generate initial thoughts and to act as a stimulus to identify risks. The following section outlines generic risks that may be used as a prompt list.

4.15

STEP 2 ASSESS THE RISK

4.16 Once the risks have been identified, it is now important to assess those risks in a consistent way against agreed project and partnership criteria and to systematically:
Determine the likelihood of a risk occurring (PROBABILITY); and Assess the severity of the consequences of the risk occurring (IMPACT).

4.17

Risk assessment explores the impact risk events have on a project. Cost is the obvious impact, but this is not the only issue. Risk assessment can include both qualitative and quantitative assessments of the probability of identified risks occurring and the impact of these in terms of:

4.18

Time; Cost; and Performance.

The decision on which qualitative and/or quantitative risk assessment model is most appropriate for an authority will depend on how sophisticated the risk management skills are within the authority and the nature of the risk. The remainder of this section sets out a framework of both qualitative and quantitative approaches.

18

Qualitative Analysis
4.19 Qualitative analysis involves describing the risk, why it may happen, and possible ways of controlling it. The analysis of probability and impact is carried out primarily by the Risk Owner, as they should be the person best able to analyse, plan and manage the risk. The analysis should, however, involve any relevant stakeholders, such as subject matter experts that may be able to provide informed views on levels of probability and impact.

Probability of Occurrence
4.20 The first stage of assessing the likelihood of occurrence is to review the long list of risks identified and eliminate the risks, which, on reflection, the Risk Management Group believes will not occur. The remaining risks then need to be classified in terms of their probability of occurrence. To ensure consistent assessment of risks it is necessary to have an agreed set of project and partnership criteria. A generic set of criteria has been defined below but these need to be tailored for specific projects and partnerships. It is recommended that the Risk Management Group define and agree the appropriate criteria: High Risk: Likely to cause significant disruption to schedule, cost and performance of partnership. Probability of occurrence >50%; Has the potential to cause some disruption, however, potential problems may be overcome. Probability of occurrence 20-50%; Has little potential to cause disruption to schedule, cost and performance of partnership. Normal effort by the project team and partnership members will probably overcome most difficulties. Probability of occurrence <20%.

4.21

4.22

4.23

Medium Risk:

Low Risk:

4.24

The outcome from this exercise should be recorded on a risk register.

Severity of Impact
4.25 This stage is about evaluating each risk in terms of its possible impact on the project/partnerships baselines of time, cost and performance. As with the likelihood of occurrence the first stage is to eliminate any risks that the Risk Management Group believes have no or only trivial impact on the baseline requirements.

19

4.26

As stated under likelihood of occurrence, to ensure consistent assessment of risks it is necessary to have an agreed set of project and partnership criteria. A generic set of criteria has been defined below but these need to be tailored for specific projects and partnerships and it is again recommended that the Risk Management Group define and agree the appropriate criteria:
Impact Rating LOW TIME Effect of risk delays schedule or partnership implementation for: <3 months Effect of risk increases cost by: <10% of total or budgeted cost A few shortfalls in performance parameters of scope requirements, acceptance and quality. MEDIUM Effect of risk delays schedule or partnership implementation for: 3-6 months Effect of risk increases cost by: 10-30% of total or budgeted cost Some shortfalls in one or two areas of scope requirements, acceptance and quality. HIGH Effect of risk delays schedule or partnership implementation for: >6 months Effect of risk increases cost by: >30% of total or budgeted cost Major shortfalls in key parameters of scope requirements, acceptance and quality.

4.27

COST

PERFORMANCE

4.28

As part of the qualitative analysis it is important to consider and balance the negative risks with the potential opportunities an SSP will generate. This part of the risk assessment is a good time to include this by assessing opportunities against the same agreed criteria, although the impact definitions would be beneficial (for example, medium time impact would be a potential saving of 3-6 months rather than a delay). Once the probability of occurrence and the level of impact a risk will have are assessed in this manner the risks need to be grouped into an order of priority for dealing with the risks. An easy way to present this information is on a chart similar to the one shown in figure 4.

4.29

20

Figure 4: Risk categories

Impact of Risk

High Impact Low Likelihood Medium Impact Low Likelihood

High Impact B Medium Likelihood Medium Impact E Medium Likelihood

High Impact High Likelihood Medium Impact High Likelihood

Low Impact Low Likelihood

Low Impact H Medium Likelihood

Low Impact High Likelihood

Likelihood of Risk

4.30

High impact and high probability of occurrence risks clearly need to be the ones that are focused on in more detail (i.e. categories A to E shown on the diagram).

Quantitative Analysis
4.31 Quantitative analysis involves attempting to describe risk in numerical terms. To do this requires a number of steps to be followed, namely:

Defining the consequence; Constructing the pathway; and Building a model.

Defining the Consequence

4.32 Initially, it is necessary to define the numerical estimate of impact the risk will have. Examples of this will include:

4.33

The number of staff to be affected by the new arrangements; or The total cost of failure of the partnership.

Within the definition consideration and parameters need to be set for the time frame over which risk is to be measured.

21

Construct a Pathway
4.34 Constructing a pathway involves consideration of all the sequential events that must occur for the adverse event to occur. This will involve considering what if scenarios.

Building a Model
4.35 Given the risk pathway, a mathematical model then needs to be constructed that allows risk to be estimated. To do this, each step in the pathway and the corresponding variables for those steps need to be considered. Scores can then be assigned to each of the input variables. These are sometimes referred to as point-values. The relationship between the variables is then used to generate a point-value estimate of risk. To test the sensitivity of the model three point values are used that relate to a minimum, maximum and most likely estimate of impact. 4.37 The two main limitations of this type of modelling are that only three values are used where in reality a larger number of values may be appropriate and that this model does not make any use of the fact that the most likely estimate will occur more frequently. A more refined financial model considers probability of occurrence for each of the input variables. Using probability distributions, all possible combinations are accounted for. A common approach used for this type of modelling is called the Monte-Carlo simulation. This is a computer intensive technique that involves random sampling for each probability distribution within the model to produce a large number of scenarios. Specialist software packages are available to run Monte-Carlo simulations. As stated earlier, the decision on which qualitative and/or quantitative risk assessment model is most appropriate for an authority to use as part of their risk management will depend on how sophisticated the risk management skills are within the authority, what the risks are and what software packages they have access to.

4.36

4.38

4.39

4.40

STEP 3 PLAN THE RISK RESPONSE

4.41 The planning stage is the activity within the risk management process of selecting and implementing the most appropriate way of dealing with the risk. The first stage in the planning phase is to classify the identified and analysed risks as either:

4.42

22

Accepted risks: Currently acceptable to the project/partnership and therefore no action will be taken to mitigate or prevent these risks at this stage. They should however be regularly reviewed and assessed.

Rejected risks: Currently not considered to be a valid or real threat to the project/partnership at this stage.

Risks to be handled: These are the risks that require action to reduce or eliminate them.

4.43

For those that fall into the third classification mitigation plans need to be prepared. These are the risk control options that set in place actions to reduce the probability and or the impact of a risk prior to its occurrence. Within the mitigation plan all actions must be aligned to the single, most appropriate overall mitigation strategy. Mitigation options are:

4.44

Eliminate or avoid the risk; Reduce the risk; Transfer the risk; or Accept the risk.

Eliminate or Avoid the Risk

4.45 This can be done by:

Changing the direction or strategy and revisiting objectives; Improving channels of communication; Obtaining further information from external sources; Acquiring expertise; Reducing the scope of the activity; Adopting a familiar proven approach.

23

Reduce the Risk

4.46 This is most common option for risk treatment. Risk actions should aim to reduce the probability of occurrence by targeting the cause and/or reduce the level of impact.

Transfer the Risk

4.47 It may be appropriate to transfer ownership and responsibility for the risk to another party outside the council. However, it may not be possible to transfer all aspects of a risk. For example, where there is a statutory duty of care related to health and safety risk. Methods of risk transfer include:

4.48

Financial instruments such as insurance, performance bonds, warranties or guarantees; Renegotiation of contract conditions for the risk to be retained by the other party; Seeking agreement on sharing risk with the other party; Sub-contracting risks to consultants or suppliers. (Note: For this to be an effective transfer of risk, the sub-contractor must be in a position to own and manage the risk appropriately and have sufficient financial standing to bear the consequences of the risk materialising. Levels of insurance carried for insurable risk should also be checked).

Accept the Risk

4.49 It will not be possible to remove some risks entirely. Where risks cannot be transferred, reduced or avoided/eliminated the simplest control is to ensure that they are regularly reviewed and monitored. To help stimulate ideas and discussion around selecting the best option the following questions can be posed to the Risk Management Group when considering each of the risks in turn:

4.50

Eliminate or avoid the risk:

Can action be taken to prevent the risk from occurring?

Reduce the risk:

Can action be taken to affect the risks impact/probability?

Transfer the risk:

Is another stakeholder or organisation better placed to manage the risk?

24

Accept the risk:

Should project/partnership resources be expended on this risk?

4.51

When evaluating the most appropriate option it is important to:

4.52

Consider the cost versus benefit of different options; Assess all possible mitigation strategies; Take action at the earliest possible point in time.

Additionally, to be effective, risk responses must meet a number of important criteria. Use the checklist below to ensure all response are:

Appropriate (i.e. do nothing for small, minor risks) Cost effective Actionable defining the time within which responses need to be completed Achievable responses must be realistic Effective responses must have a high chance of working Agreed upon by all partnership stakeholders Allocated and accepted each response should be assigned to ensure the most appropriate point of contact.

4.53

It is also suggested that despite choosing an option for how you will handle risk that a fallback/contingency plan is discussed for the cases where a mitigation plan fails to achieve the intended effect. As with the assessment of risks it is important to consider the opportunities the SSP will generate and to apply the same planning approach to them. The difference, however, will be, instead of trying to reduce or eliminate the impact with an opportunity, the options for handing them should attempt to make them more likely to occur or enhance their beneficial impact. As an output from this stage all agreed actions should be recorded within a project/partnership risk register.

4.54

4.55

25

STEP 4 MONITOR THE RISKS

4.56 The risk monitoring stage includes implementing, monitoring, reporting and reviewing risk management actions against objectives. Once the risk register has been populated it is important to review the register either at a specific risk review meeting or as an element of other project/partnership meetings. At these meetings it is an opportunity to report new risks as well as reviewing changes to current risks. Sufficient historical information should be kept to provide a good audit trail of reasons for decision. From these meetings it is important to routinely update the risk register or database after each review to reduce duplication of effort in the future. As part of the monitoring stage it is a useful exercise to:
Set risk reduction targets and assess progress against these

4.57

4.58

4.59

STEP 5 DOCUMENT LESSONS LEARNT

4.60 Whenever possible review the risks identified and assess how the partnerships efforts impacted on the outcome. Experience is an excellent teacher in risk identification and risk reduction, so sharing the experience within the authority and the partnership will help improve risk management skills. Lessons learnt should be documented so that future Risk and Project Managers within the authority can learn from past mistakes or issues.

4.61

26

CHAPTER 4

5
5.1

The Types of Risk

At the highest level risks can be categorised as either strategic or project risks. This section outlines risks that may be experienced under these two categories in a partnering contract.

STRATEGIC RISKS
5.2 In this instance strategic risks refer to high level threats of an SSP, at the pre contract procurement or post contract stage. These should be considered by members, chief officers and senior staff in the organisation(s) that are considering involvement in a partnership arrangement. The Rethinking Service Delivery publications make reference to the OGC gateway review process, as it is being field tested for local government by the 4ps, the key stages of the process are set out in appendix A. The review process envisages strategic risks being identified as part of the overall analysis of business need and in developing the business case before gateway review 1. If this is the position, it enables high-level threats to be assessed and researched with the aim of developing strategic and management responses that will help secure a sound strategic framework for the project/partnership from the outset. Strategic risks must be well understood at the outset, and a risk management approach developed appropriately to be applied throughout each project stage before authorisation is given to proceed to each stage of the partnership procurement process. The partnership should have a set of agreed objectives. Risks should be identified against these objectives. Initially, this would only be for the highest order of risk. These high level risks will then be considered and managed by senior staff and thus increase the organisations ability to meet its objectives. Risks at the strategic and corporate level will then frame the context for more detailed risk management at the project specific level. Detailed in appendix B are examples drawn from SPT pathfinder projects of the main risks to be considered at the strategic and corporate level. Suggestions are also made

5.3

5.4

5.5

5.6

27

of ways to mitigate and control the risks. They have been grouped into risks that arise due to:

Failing to ensure an effective strategic fit; Failing to identify and address the gaps and shortfalls in relationships; Failing to fully assess and plan for the organisational impact the changes will have; and Failing to robustly develop and test the economic case for the partnership.

5.7

It is stressed that the tables outline the main risks to be considered but do not constitute an exhaustive list for every partnership arrangement. Additionally, the suggestions of how to mitigate and control the risks are for guidance only and there may be a more appropriate approach depending on the individual circumstances. The Risk Manager can use the tables shown in appendix B as examples to stimulate discussions in an authority considering SSPs.

5.8

PROJECT RISKS
5.9 In this instance project level risks relate to factors that may affect progress against phases and milestones of the partnership arrangement. It also includes risks at the operational level that relate to technical problems, supplier and contract management. Project risk assessment is not a one time task, it is a task that must be periodically updated throughout a project life cycle for several reasons:

5.10

To monitor and measure progress in risk management; To provide management with visible target dates and milestones in risk management activities,

5.11

To identify new risk items and issues, and To establish new risk management priorities.

The following categories can be used as a starting point for identifying the main areas of project risk involved in SSPs. They have been derived from the experiences gained from a number of strategic partnering pathfinders, as well as from other projects outside of the pathfinders: Eight categories of risk:

28


5.12

Technical and operational risks; Political risks; Stakeholder interest risks; Financial risks; Organisational management/human resource risks; Legal risks; Procurement risks; Commercial risks.

Set out in appendix C are examples of the typical risks that could fall under these categories. The risks relate to those that may be experienced in a partnering contract of a public-public or a public-private nature. Additionally, in appendix D, E and F are examples of sector specific risks drawn from examples of pathfinder projects. As with the strategic risks, these appendices can be used to give examples to help stimulate discussions on possible risks in authorities embarking on SSPs in the future.

5.13

5.14

The lists are to act as tools to prompt risk identification and they should not to be used as ready prepared risk registers or a definitive list of risks. Every partnership will have bespoke risks that may not be detailed. In additional not all risks listed will apply to every partnership.

29

CHAPTER 5

6
6.1

Risk Management
Suggested tools to be used to support risk management within the partnership are:

A risk management plan/strategy; A risk register; A risk adjusted financial model; and A partnership issues log.

RISK MANAGEMENT PLAN/STRATEGY

6.2 This describes how risk will be addressed in the partnership and is a document that captures the agreed framework for who will be involved, responsible and accountable, in addition to setting out what frequency the risks will be reviewed.

RISK REGISTER
6.3 The risk register is a record of all risks and their potential impact to the partnership. This is maintained by the Project/Risk Manager but should be made available to the whole project team to ensure there is a common and agreed understanding of the risks involved. It should be updated at the agreed frequency. For each risk identified the risk register should record:

6.4

Reference number; Source of risk; Type/category of risk; Description of risk; Consequences and likelihood of risk occurring;

30

Risk treatment; Risk owner; Target date for action/treatment; Action implications; Action status; Fallback/contingency plans; and Change history.

RISK ADJUSTED FINANCIAL MODEL

6.5 When preparing the business case for the SSP and testing the robustness of the economic case for the partnership it will be necessary to take account of the impact of risk. It is good practice to prepare a financial model for the SSP as part of the outline business case. The model will include expenditure items for running costs, capital costs, opportunity cost and financing costs. Rethinking Service Delivery Volume Two: From Vision to Outline Business Case provides more detail on what should be included in this model. This model should also be risk adjusted to reflect the major risks that may impact on the SSP project. This model is then a useful way of seeing what assumptions have been made regarding the level of risks and risk transfer that are needed to make the SSP affordable. This model will be a useful source to refer back to when negotiating and discussing what risks need to be transferred to make the partnership financially feasible.

6.6

6.7

PARTNERSHIP ISSUES LOG

6.8 The Project/Risk Manager should maintain this as a register to establish and record concerns, questionable points and problems that, unless resolved, should be moved to the partnership Risk Register.

31

Appendix A: Gateway Process

Risk to be considered at all stages in the OGC gateway process:

32

33

Gateway intervention

Stage in procurement lifecycle

Key business objectives and outcomes

Business strategy

Gateway Review 0 Strategic assessment

Business need identified; develop programme or project brief BusinesseeBuBd

Establish business need

Gateway Review 1 Business justification

Options identified and appraised; affordability, achievability and value for money established

Develop business case

Gateway Review 2 Procurement Strategy

(or equivalent internal process) Develop procurement strategy; specify requirements; update business case

Develop Procurement Strategy

Gateway Review 3 Investment decision

Evaluate bids; select or confirm supplier or partner; update business case

Competitive procurement Partner; update business

Gateway Review 4 Readiness for service

Award of contract/statement of work or transition to new contract; asset or service ready for delivery

Award and implement contract

Service delivered; benefits achieved; performance and value for moneymaintained/improved

Manage contract

Gateway Review 5
Benefits evaluation (repeated as required)

End of contract, workpackage etc

Mclosure

34

Appendix B: Strategic Risks

Risks of failing to ensure STRATEGIC FIT:
Risk 1 Shared vision and objectives not defined. Mitigation Corporate objectives of all the parties in the partnership need to be linked to shared and agreed joint vision and objectives. Convene a key strategic workshop with your partners to identify collaborative advantages of working together and processes needed to maximise effective outcomes. Engage members from the start via workshops. Address branding issue in public public cases with regard to perception of public as to who is driving the partnership. Engage members in the debate on partnership and obtain buy-in from all political parties, not just the Leader/manager, before proceeding. Test volatility of policy with members and show link of policy objectives to partnership objectives. A successful SSP can only be promoted if the volatility of policy is capable of management by the partnership and therefore flexibility is an essential element of the partnership arrangements. Consider central government drivers and how they may affect local policy changes. 6 The project will not be attractive to potential partners whether they are in the public or private sectors. Develop a robust strategic and outline business case (OBC) that defines the scope of the partnership. Ensure a soft marketing exercise has been carried out as part of the OBC and views of the market have been factored into the partnership development. Ensure long partnership contracts are benchmarked at regular intervals and that appropriate incentives are provided for service improvement. Pay attention to choosing the right partner. 8 Partner does not meet service delivery targets in a satisfactory or timely way. Remember this is a partnership. Problems should be identified, scoped and solved together. Encourage joint ownership of problems and solutions as this builds trust and co-operation. Avoid a blame culture. If service delivery is failing, it is the responsibility of all partners to do something about it. Where this proves impossible, and service failures continue, action must be taken to remedy the situation through penalties or step-in procedures. Define a clear exit strategy. 9 No strategic approach to issues of risk, costs and benefits. Define and agree a partnership risk strategy, and a strategic approach for dealing with costs and benefits of the partnership, specifically on

Collaborative advantage for working together not defined or optimised.

Lack of political support for a public private partnership or political alignment in public public partnerships. Local political leadership changes and support for the deal wanes (both at the outset and in the future). Local authority policy changes.

Strategic dependence on one partner may reduce the authoritys ability to seek improvements in efficiency and quality.

35

Risk

Mitigation sensitive areas such as pooled budgets and accountability that may results as part of the partnership arrangements.

Risks of failing to identify and address gaps and shortfalls in RELATIONSHIPS:

Risk 1 Lack of effective and consistent leadership for the partnership. Mitigation Ensure key roles are allocated and the project/partnership champion role is allocated to someone with enough time and energy to lead on the partnership development. Partnership is not easy and relies heavily on the interpersonal and strategic management skills of executives responsible for developing and maintaining it. Buy in and continued interest and energy from the very top are absolutely necessary for success. Depth of involvement is also critical. New types of relationships will need to be formed at all levels within the partner organisations. Strong leadership throughout the organisations will be needed. Change management expertise will always be required, from all partners. 3 Lack of trust within the partnership. Develop an effective governance structure. Hold joint workshops to facilitate trust building and mutual understanding of issues.

Authority does not have adequate management capacity to manage the procurement, negotiation and change management processes.

Not all key stakeholders are involved.

It is critical that buy-in from all key stakeholders is achieved. Missing out a key stakeholder could be detrimental to the long term partnership objectives. Ensure a thorough brainstorming session takes place early on to identify key stakeholders. Continually revisit/test the key stakeholder list to ensure everyone has been captured.

Partner fails to value staff and does not look after them well, providing poor terms and conditions and insufficient opportunity for personal development.

Where contracts are squeezed very tightly and inadequate flexibility provided for business process re-engineering and cross-skilling, partners may find their only opportunity to make any profit is by reducing the number of staff or renegotiating the terms and conditions of those staff. TUPE will protect staff terms and conditions at initial transfer and Workforce Code will protect new joiners. Partners should be encouraged through the structure of the payment mechanisms within contracts to provide training and personal development opportunities for all staff.

Robust contracts not drawn up to underpin the partnership deal.

Choose the right contract for your circumstances public public partnerships need a contract as well as public private partnerships.

36

Risk

Mitigation Research has shown that good partnerships have two types of contract: 1. A partnership agreement, which describes high level processes such as gain sharing and scope, describes the structure and role of the partnership board and establishes relationships and behaviours between the partners. Stand-alone contracts, which specify the scope and work of the programme and contain conventional terms and condition.

2.

This ensures that, even if the partnership breaks down, the service delivery contracts will stand and deliver, albeit without the flexibility over the lifetime of the deal that the partnership enabled.

Relationship with partner breaks down and subsequently one of the major partners withdraws.

No matter how good a relationship may be, difficulties will always arise from time to time. Ensure mechanism for conflict resolution is agreed with all partners at negotiation stage. Create a joint strategic board for the partnership that meets regularly to discuss issues. Draw up a joint risk register and keep it under review throughout the contract. When problems are looming on the horizon, talk about them and work on a solution together before the risk matures and the impact is felt. Keep monitoring of PIs transparent and honest.

Inappropriate relationship and communication style adopted.

Authorities need to understand clearly what form of relationship they will need to build and maintain in order to support the contractual structure and payment mechanism, which they have decided to adopt.
Have a partnership agreement that sets out partnership objectives and protocols. Define a formal and informal communication and consultation strategy. Define and agree a partnership structure with clear responsibilities post contract implementation.

No strategies for sustaining relationships including when the partnership is operating.

37

Risks of failing to assess and plan for the ORGANISATIONAL IMPACT the changes will have:
Risk 1 Lack of clarity about the status of the partnership and subsequent misunderstanding of process and commitments either internally in the organisation or externally with the different parties of the partnership. Local authority structure and culture inappropriate for forming and maintaining strategic partnerships. Mitigation Develop partnership agreement as soon as possible that details commitments of all parties. Define and agree partnership protocols. Ensure members buy-in at all stages of the procurement and throughout the lifetime of the agreement. Keep staff fully informed of plans for development of strategic partnerships. 3 Improvements do not meet Councils and/or publics expectations. Deals, which gain visibility to the end-user, may generate unrealistic expectations for speed and scope of service improvements. Ensure data is being collected well before contract award for comparison, to align expectations about service improvements. Measure customer satisfaction and manage customer expectations. This implies a pro-active role for the local authority before and during the lifetime of the partnership arrangement.

Partnership initiative is incompatible with other local authority contracts or initiatives.

Assess the financial and non-financial implications of the new arrangements on existing contracts, commitments and initiatives.

38

Risks of failing to robustly develop and test the ECONOMIC CASE for the partnership:
Risk 1 Failure to commit resources to the business case for the fear that the investment in time and resources will be abortive as proposals may not represent a value for money or be affordable. Mitigation This risk is managed by adopting well-constructed processes in formulating an outline business case (OBC). A thorough financial evaluation, including a robust affordability model, needs carried out. Ensure a robust financial plan. Ensure guarantees are provided, and proof of access to finance is obtained early in the negotiations. Convene on-going risk management workshops. Draw on good previous examples. Manage legal advisers and seek to keep the contracts simple and concise. Prepare an overarching partnership agreement and supplement this with straightforward service delivery contracts based on an output specification. 5 Any partner fails to fulfil contract requirements. Ensure contracts are kept simple and it is clear from the beginning who is responsible for delivering what and when. Select the right partner. Ensure that there is a logical mechanism for review and possible termination for individual service bundles, so that bad performance in one area, if not resolved even after working through it together, need not wreck the whole deal. 6 Private sector partner faces financial difficulty. Remember that this is a partnership and there should be early discussions if this situation arises to ensure all parties are aware of the situation and there is the opportunity to discuss necessary actions. Ultimately, ensure contract covers this eventuality explicitly and provisions are made to deal with the situation if it arises. This will be in the form of an appropriate exit strategy. Where a joint venture company (JVC) is being formed with the private sector organisation, ensure that the Council defines its and limits its liability for trading losses incurred by the JVC. 7 Public sector partner withdrawal. Multi-authority projects run the risk of one or more partners withdrawing. At the commencement of a project all partners have commitment to its objectives. The risk will need to be continually monitored and alternative strategies developed in outline if the withdrawal of a potential partner occurs. Ensure that appropriate benchmarking and market testing processes are in place and used regularly throughout the lifetime of the partnership contract.

Lack of clarity about when financial benefits are to be realised and Investment funds fail to come through from private sector partner.

3 4

No objective approach to sharing cost. Contract and partnership development costs are too high.

Inspection reveals poor value for money is being obtained through the partnership.

39

Risk

Mitigation Set up partnership boards and ensure that nonexecutive members are appointed to that board to provide an objective governance function.

Reduction in competition throughout the lifetime of the deal will impair value for money.

Appropriate benchmarking and market testing are absolutely imperative where contracts exceed 5 years in length. Proving value for money is not always easy; the method for achieving this should be described in the contract. Look at value for money criteria by reference to a wide context consider issues such as economic regeneration, sustainable development and social inclusion. Partners need to be incentivised to provide innovation and service improvement over the lifetime of the contract. Contracting for outcomes, rather than outputs, may be one solution.

40

Appendix C: Generic Project Risks

Summarised in the following tables are the typical risks for consideration grouped into the eight categories listed in section 6. The risks in these tables are generic risks that may be encountered in a partnership irrespective of the service area or areas being affected.

Technical and Operation Risks

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Not being aware of changes in demand for service and therefore specification does not accurately reflect demand levels Failure to deliver service improvements Inadequate baseline calculations leading to discrepancies when comparing to actual and/or future deliverables Inability to measure savings & quality outcomes leading to poor project management Failing to acknowledge and appreciate project timetable & associating milestones leading to over or under resourced and/or budgeted projects Not ensuring a common project delivery/timetable with stakeholders leading to problems in communication and expectations No appropriate penalties/defaults established for project deliverables There is no clear definition for the level of expertise/resources/capacity to be involved Internal pressures lead to the development of an inadequate mechanism for carefully selecting external advisors Impact on existing contracts not considered sufficiently. Different starting points for the parties involved in the partnership causes operational difficulties Different expectation levels and required outcomes for the parties involved in the partnership Pressure from within authorities to deliver quick wins could be at the expense of longer term gains Failing to establish & then abide by service level agreements Continuous improvement targets not being met Not understanding the capacity of the partner No clear vision for Public-Public relationship No clear vision for Public-Private relationship Failure to establish service ownership / management of information Lack of co-ordination and structure to handle partnership based projects (in addition to own projects) Over ambitious approach to management of change with insufficient supporting metrics Lack of Project / Programme management standards and realisation of role of project manger Project / Programme management failure resulting in unforeseen cost overruns and late delivery Inadequate management resources to implement strategy

25

Changes to the services required from the Partner (as a result of Best Value service reviews or inspections, benchmarking exercises or internal or external audits relating to the Council's retained services) Change in volume of service requirements Assets owned/managed by the partnership are damaged by fire, flood or by a third party (accident, vandalism etc) Assets owned/managed by the partnership cause damage or physical injury to a third party

26 27 28

41

29 30 31 32 33

Need to comply with statutory requirements and responsibilities Lack of risk management expertise Failure to involve professional assistance and expertise e.g. legal, at the right stage. Contract/partnership management role not sufficiently defined Failure to apply an effective health and safety management and monitoring system across the partnership.

Political Risks
1 2 3 4 5 6 Different approaches to political structures (e.g. cabinet vs. committees) causes inconsistencies National projects fail to deliver promises Emphasis on regional government entrenches authorities individually in a fight for survival Political leadership changes leading to conflicts within the organisation Change in local authority functions e.g. Benefits CPA Inspection or audit recommendations change focus/priorities for the authority.

Stakeholder Interest Risks

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Failure to engage each partner authority in a mutually beneficial relationship Failure to develop partnership focus on customer services Partners fail to deliver on individual responsibilities Over / under reliance on one partners involvement Failure to collaborate on key technology decisions Failure to identify / emulate / share / benchmark with good practice Level of clout varies across partners Level / scope of delegated powers vary across partnership that leads to conflict Significant differences in organisational cultures across partnership are underestimated Tensions between local and partnership objectives and priorities No joint approach to incident and exception reporting Inadequate integrated arrangements to respond to a major incident The reputation and image of one of the partners is affected by actions of the other partners Mismatch in understanding of risks between public and private sector Failure to define a detailed and on-going communication strategy Failure to involve all key stakeholders Lack of trust within the partnership No strategic for sustaining relationships post contract signing

Financial Risks
1 2 3 4 Failing to define and develop cost of procurement Outline project affordability relating to programme/projects not accurate Inability to achieve savings by accurately outlining costs & resources required Insufficient financial support to complete projects

42

5 6 7 8 9 10 11 12 13

Savings to fund complete programme not achieved quickly enough, or not at all Changes in how the organisations trade or operate affect their VAT position Failure of partner to raise finance required for implementation Changes in tax affects affordability, pre or post contract signing Unanticipated finance costs Price variation indices running at a different rate than that assumed in any financial model or contractual index Changes in interest rates not planned for Cost of insurance underestimated Cost projections are inaccurate affecting future iterations of a project

Organisational Management/Human Resource Risks

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 16 The innovative nature of transformation is unacceptable or misunderstood within services Failure to address the HR organisational implications, including the cost of pensions. Non-availability of skills internally and externally within market place lead to resource issues Inability to carry staff (and unions) with the changes Unable to put in place new recruitment / reward / career structures Inability to identify and rollout appropriate training programme in a timely manner Lack of clarity, accuracy and completeness of employment records and salary details etc in relation to transferees. Unavailability of adequate performance monitoring information. Differing HR sections with own policies and procedures that leads to confusion around which policy or procedure to follow. Operating two similar but not identical conditions of employment impact on morale of staff that are undertaking similar work but are on different terms and conditions Staff are unable to adapt to new roles, responsibilities and the culture of the partnership Staff are seconded and it is subsequently deemed that there was in fact a transfer of undertaking Lack of clarity over responsibility for staff performance, discipline etc. Divergent recruitment practise resulting in challenge to appointments and dismissals. Different governance arrangements of individual parties conflict. No clear partnership governance arrangements agreed Lack of effective leadership for the partnership

Procurement Risks
1 2 3 4 5 6 7 Practical fallback option not clearly understood Developing unrealistic process & milestones Not succeeding in managing different expectations internally Not succeeding in managing different expectations externally There is no ownership for key issues/processes Communication within public partners is weak Baseline requirement unacceptable to suppliers

43

8 9 10 11 12 13 14 15 16 17 18

Failing to maintain competitive approach in final negotiation There is no real evaluation criteria (including credibility) when selecting preferred suppliers There is insufficient information available to review cost/capability/availability of external advisor/s Procurements fail to recognise business critical factors Inability to deliver a quick win to demonstrate benefits Insufficient market appetite/competition Lack of accuracy and adequacy of the partners assumptions as to the cost of and risks involved in service provision. Lack of clarity or definition in user output specifications and other requirements. Not developing a mandatory minimum proposal structure Lack of flexibility in partnership contract Insufficient expertise to conduct the procurement in accordance with the regulatory and policy framework

Legal Risks
1 2 3 4 5 6 Legal constraints (e.g. Data Protection Act) prevent or delay joining-up and partnership working Partnership dependence on existing assets and rights of assets bought under the partnership Conflict over intellectual property rights Transferability of licences and other third party contracts not sufficiently investigated Changes to the services required as a result of new laws or regulations or changes in existing laws or regulations Failure of partner to comply with relevant laws and regulations (including in relation to telecommunications, health and safety, data protection and human rights) or the partner causing the Council to be in breach of any law or regulation TUPE challenge to secondment arrangements between the partnership Breaches of procurement regulations

7 8

Commercial Risks
1 2 3 4 5 6 7 8 9 10 11 12 13 14 There is insufficient information available to review and define capacity/skills/resources Cultural acceptability leading to change management problems underestimated Failing to establish communication process & mechanism Political acceptability not tested sufficiently that leads to internal conflictions Lack of stakeholder involvement leading to misunderstanding of scope & requirements Project creep i.e. uncontrolled drift away from original objectives Failure to maintain sub-contractors effectively leading to disputes Take up by customers is lower / slower than projected Partnership fails to meet customer expectations of improved services Partnership does not understand customer demands due to current level of public consultation Partnership fails to identify changes / evolution in customer requirements Changes in volume of service required outside the defined parameters and therefore not planned for. Perceived threat to empires reduces management buy-in Service benefits may not be delivered quickly enough

44

15 16 17 18 19 20 21

Lack of consistent senior officer attention / understanding across all authorities Lack of clarity over executive powers and the role of scrutiny Lack of consistent Member attention / understanding across all authorities Quality, condition and quantity of assets, furniture and office equipment, tools and plant etc to be transferred into the partnership not sufficiently defined and priced for accordingly. Suitability of existing premises or assets to be used by the partnership not properly assessed Difference in insurance policies taken out by the different parties in the partnership can lead to uncertainty in the event of claims and litigation. Lack of awareness of factors external to the partnership day to day operations that can affect the overall delivery

45

Appendix D: Corporate and E-government Risks

Summarised in the following tables are the specific risks for consideration that, from research of the pathfinder authorities, are encountered in SSPs for Corporate and E-government services. The risks where relevant have been grouped under the same categories as the general risks referred to in appendix B.

Technical and Operation Risks

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Ineffective integration strategy of new systems with individual local authority IT systems Failing to establish a business process re-design strategy Lack of training for users Fail to establish information / knowledge management standards (e.g. data sharing protocols, unique identifiers) Services fail to manage their IT relationships and/or projects Resistance in the back / front office split Lack of senior officer commitment to, and understanding of, e-Government diminishes appetite for change High-level of professional resistance (for example, within planning functions) means lack of support for joining-up at middle management level Lack of suitable authentication models / software delays joining-up New channels unable to use information formats currently Techno phobia and requirement to prove to officers / Members IT will work Impact on existing licences (e.g. software) the Local Authority has not been evaluated accurately. Partners proposed ICT solutions and associated re-engineered business processes do not support the Councils requirements as to performance, availability, functionality or volume Partners proposed ICT solutions and associated re-engineered business processes do not meet the requirements of the output specification Inadequacy of licences and consents Insufficient contingency, security & disaster recovery planning and back ups Increase in unauthorised activities due to Electronic Service Delivery being anonymous Poor audit trail on why certain decisions or amendments to key documents have been made. Increase in unauthorised access to assets due to poor security measures Lack of accountability for decisions as electronic processing can allow anonymous processing

46

Political Risks
1 2 3 4 5 6 Failure to achieve social inclusion within access to services Failure to achieve geographically inclusive access to services Swing in political power over period changes emphasis on e-Government Government fails to deliver technical standards Issues of information security, authentication etc not resolved nationally New Government orders/strategies change emphasis on e-Government

Financial Risks
1 2 3 4 Failure or inadequacy of technology leading to delays and/or unforeseen costs. Delay and/or unforeseen costs as a result of incompatibility, integration and/or interface issues. The partner reconfigures the transferred processes in such a way that causes the Council to incur unexpected costs and expenses Unexpected changes in licensing costs and carrier costs Increased risk in duplicating transactions via electronic processing

Organisational Management/Human Resource Risks

1 Electronic Service Delivery (ESD) not fully understood within services

Procurement Risks
1 2 3 4 5 Lack of standardisation within procurements to clarify the role of IT in joining-up Technical infrastructure is inadequate for continuing development Lack of service client control over IT New technologies may not perform to promised standards Rate of technology changes overtake investments already made

Legal Risks
1 Data Protection / Human Rights Act inhibit joining-up

Commercial Risks
1 2 3 4 5 Public resist change and do not use new channels Citizens do not understand the concepts of e-Government Electronic service delivery is regarded as an add on, rather than improvement New channels may not be available quickly enough to meet public demand Virus introduced into a system key for business operations

47

Appendix E: Education, Health and Social Services Risks

Summarised in the following tables are the specific risks for consideration that, from research of the pathfinder authorities, are encountered in SSPs for Education, Health and Social Services partnerships. The risks where relevant have been grouped under the same categories as the general risks referred to in appendix B.

Technical and Operation Risks

1 2 3 4 5 Lack of involvement of community and voluntary sector in management of services Lack of an understanding of the statutory responsibilities Service may be subject to two separate inspectorates that could lead to differing or conflicting standards and requirements. Lack of understanding and confusion in language between the difference of case risk management and partnership/project risk management Inadequate accountability arrangements for training targets, for example, care standards

Political Risks
1 2 Lack of understanding of sensitivities involved in providing a people intensive service Change in central government policy and approach

Stakeholder Interest Risks

1 2 3 4 Conflicts developed around professional versus clinical quality issues. All relevant agencies not engaged in supporting the work of the partnership The views of the local families are not taken into account in the development of the partnership Failure to engage commonly excluded groups.

Organisational Management/Human Resource Risks

1 Uncertainty regarding the role of statutory post-holders (e.g. approved social workers, director of social services, section 151 officer etc)

Legal Risks
1 Possible lack of clarity as to responsible body in the partnership and what standards should be met.

48

Appendix F: Transport and Environment Risks

Summarised in the following tables are the specific risks for consideration that, from research of the pathfinder authorities, are encountered in SSPs for Transport and Environment services. The risks where appropriate have been grouped under the same categories as the general risks referred to in appendix B.

Technical and Operation Risks

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Insufficient design warranties from sub-contractors Poor management of the supply chain that affects service delivery Lack of accuracy in inventory and surveys Underground supply network is worse than expected and planned for. Delays caused by utilities/statutory undertakers Damage caused to the environment during operations Unforeseen ground/site conditions including structures Vandalism Poor weather slows delivery down Latent defects existing and new apparatus General public opposition to the project Environmental demonstrations as a result of opposition to the project Formal processes, for example for planning approval, slow the process down. Contaminated or hazardous materials found on site Equipment and apparatus installed does not meet required standards Safety concerns will any new provider instil confidence.

Stakeholder Interest Risks

1 2 Insufficient public liaison and consultation Overconfidence that because there is a process for consultation that it will not get in the way.

Financial Risks
1 2 Lack of compliance with funding requirements Capital cost over-runs

Organisational Management/Human Resource Risks

1 Poor management and supervisions of contract, including the whole supply chain

49

Commercial Risks
1 2 3 Changes in design standards and Codes of Practice The need to redesign due to defects in the original design Third party claims against the partnership

50

Appendix G: Reference Documents

This document is not designed to be the sole source of advice but is designed to be sufficient to guide an authority through the process of risk management as part of their pre and post procurement phases with their SSP. Other sources of information to which an authority may wish to refer to help increase their knowledge of risk are listed below: 1. ODPM Strategic Partnering Taskforce (SPT) Rethinking Service Delivery (Volumes 1-5) Audit Implications of Electronic Service Delivery in the Public Sector Worth the Risk Improving Risk Management in Local Government (Audit Commission A Risk Management Standard: Institute of Risk Management The Association of Insurance and Risk Management and ALARM the national forum for Risk Management in the public sector: Project Risk Analysis and Management Guide: Association for Project Management OGC: Good to Practice Guides.

2. 3.

4.

5. 6.

51